Amazon Flip-Flop Lands Fire OS Back in Encryption Camp
Mar 7, 2016 12:14 PM PT
Amazon last week announced that it had reversed a previous decision to drop support for local encryption on version 5 of its Fire tablet operating system.
The disclosure came one day after the company joined 14 others to support Apple in its fight against the FBI, which wants the company to create a tool or code to unlock an iPhone that belonged to one of the San Bernardino, California, terrorists.
"In the fall when we released Fire OS 5, we removed some enterprise features that we found customers were not using. All Fire tablets' communication with Amazon's cloud meet our high standards for privacy and security, including appropriate use of encryption," Amazon spokesperson Robin Handaly told LinuxInsider Friday afternoon.
Several hours later, she notified LinuxInsider without explanation that Amazon would continue to provide encryption support for the Fire tablet. "We will return the option for full disk encryption with a Fire OS update coming this spring."
Amazon dropped encryption from its Kindle Fire devices with the launch of its latest operating system, Fire OS 5.
While data transferred from the Fire devices to the Amazon cloud would continue to be encrypted, users with the current Fire OS 5 version no longer have the ability to encrypt data locally on their devices.
Users of existing devices can continue with the encryption support by delaying the software upgrade. Once users upgrade to version 5 of the Fire OS, they lose encryption on their data.
A planned OS upgrade this spring will return the encryption feature to the Fire tablets.
Smoke and Fire
Amazon joined 14 other companies last week in a joint court filing that supports Apple's fight against the FBI. Other companies involved include Box, Cisco, Facebook, Google, Microsoft, Mozilla, Slack, Snapchat and Yahoo.
Amazon declined to explain why it removed encryption from its own device before opposing the FBI's decryption demands against Apple. It remained silent on its reasoning after reversing itself.
"I think Amazon has missed the mark and made an error in judgment by removing full device encryption," said Elliott Abraham, senior security consultant at Adapture.
"Devices like the Amazon Fire, Amazon Kindle and even the little-used Amazon Fire Phone had the ability to store more than just e-books and books from Amazon. These devices are fully functioning smart devices and have been used for email and other services," he told LinuxInsider.
Amazon's decision to remove encryption is a bit of a head-scratcher, said Jason L Bauman, SEO associate at Trinity Insight-Philadelphia. There really are no benefits for anyone.
"The only reason I can think of that is not related to the current encryption debate is that it does tax computing resources, particularly on older devices, so by removing it they can have less powerful and cheaper hardware," he told LinuxInsider prior to Amazon's reversal.
Amazon might have been hedging its posture within the industry related to the FBI vs. Apple issue, Bauman suggested.
"While Amazon might support Apple's position in the debate, they do not have the same level of customer goodwill and deep pockets Apple has to fight the FBI on it," he said.
Amazon might have wanted to absolve itself from any liability associated with a widespread breach of the native encryption on its Fire tablets, said Alex Pezold, CEO of TokenEx. Any breach of personal information from someone breaking Amazon's encryption could be a liability.
"Considering what is going on in the industry, the Apple vs. FBI rumblings have certainly fueled the fire for Amazon to remove encryption from their devices," he told LinuxInsider before Amazon reversed its decision to remove the encryption feature.
Amazon's Fire tablets target children. Plus, the tablet can run banking apps, noted Bauman. Those functions need to be secure.
Shifting Consumer Awareness
Ultimately, Amazon may have decided to move quickly against a negative consumer reaction over the loss of encryption. The consumer does not benefit from Amazon's decision to remove encryption as a core component of the Fire device line, said Pezold.
"They are actually more at risk because they are not focused on securing their own data on these devices," he said.
Consumer attitudes toward encryption are dubbed "the Snowden effect," noted Adapture's Abraham.
"The thought of Big Brother listening in, reading in or otherwise snooping on private matters is of concern to many. We are now witnessing a debate that will only increase in intensity as we try to balance our Fourth Amendment rights with that of ultimate security," he said.
Not Everyone Cares
Growing awareness over the need for better online security may not be a priority for all mobile device users, however, as Mark Aselstine, founder of Uncorked Ventures, discovered when he launched a new version of his website and waited for an SSL certificate.
During the two-day wait for the application to be approved, he discussed the process with nearly a dozen friends. Only two -- a professor of digital media at UC Berkeley and a friend who works with e-commerce clients for a mobile processor -- had any clue what he was talking about, he told LinuxInsider. "I took that to mean that the general public does not know the first thing about encryption."